From owner-freebsd-questions  Mon Feb  4 11: 1:44 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from ca.astound.net (ca.astound.net [64.85.239.2])
	by hub.freebsd.org (Postfix) with ESMTP id 71E0B37B427
	for <freebsd-questions@freebsd.org>; Mon,  4 Feb 2002 11:01:31 -0800 (PST)
Received: from [192.168.1.2] (astound-64-85-230-199.ca.astound.net [64.85.230.199])
	by ca.astound.net (8.12.1/8.12.1) with ESMTP id g14J2Tri022043
	for <freebsd-questions@freebsd.org>; Mon, 4 Feb 2002 11:02:30 -0800 (PST)
User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022
Date: Mon, 04 Feb 2002 11:01:24 -0800
Subject: Is this evidence of a break in on my server?
From: Victor Grey <victor@customdynamic.net>
To: <freebsd-questions@freebsd.org>
Message-ID: <B8841A84.70C6%victor@customdynamic.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I have a server co-located at a (supposedly) secure data center, running
Fbsd 4.4 release. According to /var/log/messages it rebooted itself at one
minute before midnight last night, and then (I think that's what the lines
in messages mean) discovered a mouse attached. Then at 43 minutes past
midnight there were six login failures. (Running tripwire this morning
showed nothing suspicious.)

Well - there shouldn't be any mouse attached, it's a headless server.
Furthermore, if I understand it correctly, a login failure at ttyv0 means at
a local terminal -- not a remote break-in attempt.

The data center swears there was no one in there last night. Can someone
verify for me that I am interpreting the log correctly before I start
accusing the data center people? Or any other insights/things I should look
at? Here are the relevant lines from /var/log/messages:
-----------------------------
Feb  3 23:59:00 p2 /kernel: psm0: <PS/2 Mouse> irq 12 on atkbdc0
Feb  3 23:59:00 p2 /kernel: psm0: model Generic PS/2 mouse, device ID 0

Feb  4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0
Feb  4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0, root
-----------------------------

Thanks,
Victor Grey


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message